A transition in cryptographic technologies is underway. New algorithms for encryption, authentication, digital signatures, and key exchange are needed to meet escalating security and performance requirements. Many of the algorithms that are in extensive use today cannot scale well to meet these needs. RSA signatures and DH key exchange are increasingly inefficient as security levels rise, and CBC encryption performs poorly at high data rates. An encryption system such as an IPsec Virtual Private Network uses many different component algorithms, and the level of security that it provides is limited by the lowest security level of each of those components. What we need is a complete algorithm suite in which each component provides a consistently high level of security and can scale well to high throughput and high numbers of connections. The next generation of encryption technologies meets this need by using Elliptic Curve Cryptography (ECC) to replace RSA and DH, and using Galois/Counter Mode (GCM) of the Advanced Encryption Standard (AES) block cipher for high-speed authenticated encryption. More on these algorithms below, but first, some good news: the new ISR Integrated Services Module brings these next-generation encryption (NGE) technologies to IPsec Virtual Private Networks, providing a security level of 128 bits or more. These technologies are future proof: the use of NGE enables a system to meet the security requirements of the next decade, and to interoperate with future products that leverage NGE to meet scalability requirements. NGE is based on IETF standards, and meets the government requirements for cryptography stipulated in FIPS-140.

NGE uses new crypto algorithms because they will scale better going forward. This is analogous to the way that jets replaced propeller planes; incremental improvements in propeller-driven aircraft are always possible, but it was necessary to adopt turbojets to achieve significant advances in speed and efficiency.

Everyone has dirty secrets. One of mine is that I like Mazda Miatas, little sports cars that are cheap to buy, cheap to own, handle well, perform above expectations and require little care. Regardless of how you feel about handling and the sensation of dropping the top and having the wind blow through your hair, a little Miata can only do so much. Try to pass, uphill, on a warm day and god forbid, do so with the air conditioner on and a passenger on board, and that little Miata is going to be taxed out. That is one of the reasons I added a little bit of hardware acceleration in the form of a supercharger to mine. Suddenly, with that small upgrade, the little car that could but suffered under heavy load suddenly became the little car that did.

There is a new Whitepaper out on the Next-Generation Cryptography called “Suite B” for Government that will enable a new level of secure communications and collaboration.

The Suite B set of cryptographic algorithms has become the preferred global standard for ensuring the security and integrity of information shared over non-trusted networks. This white paper, intended for public sector IT professionals, explains that:

Suite B combines four well established public domain cryptographic algorithms

The Internet Engineering TaskForce (IETF) has established open standards for commercial products using Suite B, helping organizations adopt it with confidence

Cisco has introduced an IPsec-based implementation of Suite B cryptography in its VPN products

There is a nice quote from David McGrew – Cisco Fellow

“Open and freely implementable cryptography standards are indispensable to global information security. By not asserting patent rights with the Galois/Counter Mode of operation, Cisco has taken an active role in helping Suite B standards remain open.”

Some of the individuals posting to this site, including the moderators, work for Cisco Systems. Opinions expressed here and in any corresponding comments are the personal opinions of the original authors, not of Cisco. The content is provided for informational purposes only and is not meant to be an endorsement or representation by Cisco or any other party. This site is available to the public. No information you consider confidential should be posted to this site. By posting you agree to be solely responsible for the content of all information you contribute, link to, or otherwise upload to the Website and release Cisco from any liability related to your use of the Website. You also grant to Cisco a worldwide, perpetual, irrevocable, royalty-free and fully-paid, transferable (including rights to sublicense) right to exercise all copyright, publicity, and moral rights with respect to any original content you provide. The comments are moderated. Comments will appear as soon as they are approved by the moderator.